Accepting request 664459 from home:bfrogers:branches:Virtualization

Include security fixes and other recent "stable" fixes

OBS-URL: https://build.opensuse.org/request/show/664459
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=445
This commit is contained in:
Bruce Rogers 2019-01-10 21:10:49 +00:00 committed by Git OBS Bridge
parent 9dd3bf90ea
commit 8abcb1d6b2
21 changed files with 1510 additions and 17 deletions

View File

@ -14,14 +14,14 @@ Since the ioreqs themselves are re-used via a free list, this
should actually improve memory usage. should actually improve memory usage.
Signed-off-by: Tim Smith <tim.smith@citrix.com> Signed-off-by: Tim Smith <tim.smith@citrix.com>
[BSC#1100408] [BR: BSC#1100408]
Signed-off-by: Bruce Rogers <brogers@suse.com> Signed-off-by: Bruce Rogers <brogers@suse.com>
--- ---
hw/block/xen_disk.c | 7 ++----- hw/block/xen_disk.c | 9 ++++-----
1 file changed, 2 insertions(+), 5 deletions(-) 1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index d9a55faf27..e9501ee34c 100644 index d9a55faf27..df99162520 100644
--- a/hw/block/xen_disk.c --- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c +++ b/hw/block/xen_disk.c
@@ -110,7 +110,6 @@ static void ioreq_reset(struct ioreq *ioreq) @@ -110,7 +110,6 @@ static void ioreq_reset(struct ioreq *ioreq)
@ -32,15 +32,17 @@ index d9a55faf27..e9501ee34c 100644
ioreq->size = 0; ioreq->size = 0;
ioreq->presync = 0; ioreq->presync = 0;
@@ -135,6 +134,7 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev) @@ -135,6 +134,9 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev)
/* allocate new struct */ /* allocate new struct */
ioreq = g_malloc0(sizeof(*ioreq)); ioreq = g_malloc0(sizeof(*ioreq));
ioreq->blkdev = blkdev; ioreq->blkdev = blkdev;
+ ioreq->buf = qemu_memalign(XC_PAGE_SIZE, BLKIF_MAX_SEGMENTS_PER_REQUEST * XC_PAGE_SIZE); + ioreq->buf = qemu_memalign(XC_PAGE_SIZE,
+ BLKIF_MAX_SEGMENTS_PER_REQUEST *
+ XC_PAGE_SIZE);
blkdev->requests_total++; blkdev->requests_total++;
qemu_iovec_init(&ioreq->v, 1); qemu_iovec_init(&ioreq->v, 1);
} else { } else {
@@ -317,14 +317,12 @@ static void qemu_aio_complete(void *opaque, int ret) @@ -317,14 +319,12 @@ static void qemu_aio_complete(void *opaque, int ret)
if (ret == 0) { if (ret == 0) {
ioreq_grant_copy(ioreq); ioreq_grant_copy(ioreq);
} }
@ -55,7 +57,7 @@ index d9a55faf27..e9501ee34c 100644
break; break;
default: default:
break; break;
@@ -392,12 +390,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq) @@ -392,12 +392,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
{ {
struct XenBlkDev *blkdev = ioreq->blkdev; struct XenBlkDev *blkdev = ioreq->blkdev;
@ -68,7 +70,7 @@ index d9a55faf27..e9501ee34c 100644
goto err; goto err;
} }
@@ -1007,6 +1003,7 @@ static int blk_free(struct XenDevice *xendev) @@ -1007,6 +1005,7 @@ static int blk_free(struct XenDevice *xendev)
ioreq = QLIST_FIRST(&blkdev->freelist); ioreq = QLIST_FIRST(&blkdev->freelist);
QLIST_REMOVE(ioreq, list); QLIST_REMOVE(ioreq, list);
qemu_iovec_destroy(&ioreq->v); qemu_iovec_destroy(&ioreq->v);

View File

@ -0,0 +1,40 @@
From: Cornelia Huck <cohuck@redhat.com>
Date: Wed, 5 Dec 2018 15:35:03 +0100
Subject: vfio-ap: flag as compatible with balloon
vfio-ap devices do not pin any pages in the host. Therefore, they
are compatible with memory ballooning.
Flag them as compatible, so both vfio-ap and a balloon can be
used simultaneously.
Cc: qemu-stable@nongnu.org
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Tony Krowiak <akrowiak@linux.ibm.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
(cherry picked from commit 1883e8fc8005e9ef452890a075bae98e8c432968)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/vfio/ap.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c
index 65de952f44..0a25f5e096 100644
--- a/hw/vfio/ap.c
+++ b/hw/vfio/ap.c
@@ -104,6 +104,14 @@ static void vfio_ap_realize(DeviceState *dev, Error **errp)
vapdev->vdev.name = g_strdup_printf("%s", mdevid);
vapdev->vdev.dev = dev;
+ /*
+ * vfio-ap devices operate in a way compatible with
+ * memory ballooning, as no pages are pinned in the host.
+ * This needs to be set before vfio_get_device() for vfio common to
+ * handle the balloon inhibitor.
+ */
+ vapdev->vdev.balloon_allowed = true;
+
ret = vfio_get_device(vfio_group, mdevid, &vapdev->vdev, &local_err);
if (ret) {
goto out_get_dev_err;

View File

@ -0,0 +1,35 @@
From: Thomas Huth <thuth@redhat.com>
Date: Fri, 14 Dec 2018 14:08:07 +0100
Subject: hw/s390x: Fix bad mask in time2tod()
Since "s390x/tcg: avoid overflows in time2tod/tod2time", the
time2tod() function tries to deal with the 9 uppermost bits in the
time value, but uses the wrong mask for this: 0xff80000000000000 should
be used instead of 0xff10000000000000 here.
Fixes: 14055ce53c2d901d826ffad7fb7d6bb8ab46bdfd
Cc: qemu-stable@nongnu.org
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <1544792887-14575-1-git-send-email-thuth@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
[CH: tweaked commit message]
(cherry picked from commit aba7a5a2de3dba5917024df25441f715b9249e31)
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
include/hw/s390x/tod.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/s390x/tod.h b/include/hw/s390x/tod.h
index 413c0d7c02..442f45b2f5 100644
--- a/include/hw/s390x/tod.h
+++ b/include/hw/s390x/tod.h
@@ -50,7 +50,7 @@ typedef struct S390TODClass {
/* Converts ns to s390's clock format */
static inline uint64_t time2tod(uint64_t ns)
{
- return (ns << 9) / 125 + (((ns & 0xff10000000000000ull) / 125) << 9);
+ return (ns << 9) / 125 + (((ns & 0xff80000000000000ull) / 125) << 9);
}
/* Converts s390's clock format to ns */

View File

@ -0,0 +1,102 @@
From: Zheng Xiang <zhengxiang9@huawei.com>
Date: Mon, 3 Dec 2018 15:05:17 +0800
Subject: pcie: set link state inactive/active after hot unplug/plug
When VM boots from the latest version of linux kernel, after
hot-unpluging virtio-blk disks which are hotplugged into
pcie-root-port, the VM's dmesg log shows:
[ 151.046242] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0001 from Slot Status
[ 151.046365] pciehp 0000:00:05.0:pcie004: Slot(0-3): Attention button pressed
[ 151.046369] pciehp 0000:00:05.0:pcie004: Slot(0-3): Powering off due to button press
[ 151.046420] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 151.046425] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200
[ 151.046464] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 151.046468] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd c0
[ 156.163421] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 2f1
[ 156.163427] pciehp 0000:00:05.0:pcie004: pciehp_unconfigure_device: domain:bus:dev = 0000:06:00
[ 156.198736] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 156.198772] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400
[ 157.224124] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0018 from Slot Status
[ 157.224194] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
[ 157.224220] pciehp 0000:00:05.0:pcie004: pciehp_check_link_active: lnk_status = 2011
[ 157.224223] pciehp 0000:00:05.0:pcie004: Slot(0-3): Link Up
[ 157.224233] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 7f1
[ 157.224281] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 157.224285] pciehp 0000:00:05.0:pcie004: pciehp_power_on_slot: SLOTCTRL a8 write cmd 0
[ 157.224300] pciehp 0000:00:05.0:pcie004: __pciehp_link_set: lnk_ctrl = 0
[ 157.224336] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 157.224339] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200
[ 159.739294] pci 0000:06:00.0 id reading try 50 times with interval 20 ms to get ffffffff
[ 159.739315] pciehp 0000:00:05.0:pcie004: pciehp_check_link_status: lnk_status = 2011
[ 159.739318] pciehp 0000:00:05.0:pcie004: Failed to check link status
[ 159.739371] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 159.739394] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400
[ 160.771426] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 160.771452] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
[ 160.771495] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 160.771499] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd 40
[ 160.771535] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
[ 160.771539] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
After analyzing the log information, it seems that qemu doesn't
change the Link Status from active to inactive after hot-unplug.
This results in the abnormal log after the linux kernel commit
d331710ea78fea merged.
Furthermore, If I hotplug the same virtio-blk disk after hot-unplug,
the virtio-blk would turn on and then back off.
So this patch set the Link Status inactive after hot-unplug and
active after hot-plug.
Signed-off-by: Zheng Xiang <zhengxiang9@huawei.com>
Signed-off-by: Zheng Xiang <xiang.zheng@linaro.org>
Cc: Wang Haibin <wanghaibin.wang@huawei.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 2f2b18f60bf17453b4c01197a9316615a3c1f1de)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/pci/pcie.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index 6c91bd44a0..66b73b87c8 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -345,6 +345,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
if (!dev->hotplugged) {
pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
PCI_EXP_SLTSTA_PDS);
+ if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
+ pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
+ PCI_EXP_LNKSTA_DLLLA);
+ }
return;
}
@@ -355,6 +359,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
if (pci_get_function_0(pci_dev)) {
pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
PCI_EXP_SLTSTA_PDS);
+ if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
+ pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
+ PCI_EXP_LNKSTA_DLLLA);
+ }
pcie_cap_slot_event(PCI_DEVICE(hotplug_dev),
PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP);
}
@@ -531,6 +539,10 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
PCI_EXP_SLTSTA_PDS);
+ if (dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
+ pci_word_test_and_clear_mask(exp_cap + PCI_EXP_LNKSTA,
+ PCI_EXP_LNKSTA_DLLLA);
+ }
pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
PCI_EXP_SLTSTA_PDC);
}

View File

@ -0,0 +1,30 @@
From: Corey Minyard <cminyard@mvista.com>
Date: Mon, 26 Nov 2018 12:28:44 -0600
Subject: pc:piix4: Update smbus I/O space after a migration
Otherwise it won't be set up correctly and won't work after
miigration.
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 2b4e573c7c7b9a698ba6931ba456bbd8d3d8c84c)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/acpi/piix4.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index b0bd10b3f9..fb3620e6c0 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -173,6 +173,7 @@ static int vmstate_acpi_post_load(void *opaque, int version_id)
PIIX4PMState *s = opaque;
pm_io_space_update(s);
+ smbus_io_space_update(s);
return 0;
}

View File

@ -0,0 +1,54 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 9 Jan 2019 11:07:15 -0700
Subject: hw/usb: fix mistaken de-initialization of CCID state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Daniel P. Berrangé <berrange@redhat.com>
In previous commit:
commit 7dea29e4af17fc1d27478de9f8ea38144deac54a
Author: Li Qiang <liq3ea@gmail.com>
Date: Fri Oct 19 03:50:36 2018 -0700
hw: ccid-card-emulated: cleanup resource when realize in error path
The emulated_realize method was changed so that it jumps to a cleanup
label to de-initialize state upon error. This change failed to ensure
the success path exited the method before this point though. So the
mutexes are always destroyed even in normal operation. The result is
as crashtastic as expected:
$ qemu-system-x86_64 -usb -device usb-ccid,id=ccid0 -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0
qemu-system-x86_64: util/qemu-thread-posix.c:64: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.
Aborted (core dumped)
Fixes: 7dea29e4af1
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181221134115.27973-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 3fd2092fd11b9e4220a08eca0663cc59178a6c3f)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/ccid-card-emulated.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/usb/ccid-card-emulated.c b/hw/usb/ccid-card-emulated.c
index 25976ed84f..e0457d305b 100644
--- a/hw/usb/ccid-card-emulated.c
+++ b/hw/usb/ccid-card-emulated.c
@@ -549,6 +549,8 @@ static void emulated_realize(CCIDCardState *base, Error **errp)
qemu_thread_create(&card->apdu_thread_id, "ccid/apdu", handle_apdu_thread,
card, QEMU_THREAD_JOINABLE);
+ return;
+
out2:
clean_event_notifier(card);
out1:

View File

@ -0,0 +1,79 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 13 Dec 2018 13:25:11 +0100
Subject: usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.
usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.
Because qemu ignores symlinks, carrying out a successful symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.
Fixes: CVE-2018-16872
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: Bandan Das <bsd@redhat.com>
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Message-id: 20181213122511.13853-1-kraxel@redhat.com
(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
[BR: BSC#1119493]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/dev-mtp.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 100b7171f4..36c43b8c20 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
{
struct dirent *entry;
DIR *dir;
+ int fd;
if (o->have_children) {
return;
}
o->have_children = true;
- dir = opendir(o->path);
+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
+ if (fd < 0) {
+ return;
+ }
+ dir = fdopendir(fd);
if (!dir) {
return;
}
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
- d->fd = open(o->path, O_RDONLY);
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (d->fd == -1) {
usb_mtp_data_free(d);
return NULL;
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
c->argv[1], c->argv[2]);
d = usb_mtp_data_alloc(c);
- d->fd = open(o->path, O_RDONLY);
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (d->fd == -1) {
usb_mtp_data_free(d);
return NULL;
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
0, 0, 0, 0);
goto done;
}
- d->fd = open(path, O_CREAT | O_WRONLY, mask);
+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
if (d->fd == -1) {
usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
0, 0, 0, 0);

View File

@ -0,0 +1,41 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Dec 2018 23:28:17 +0530
Subject: pvrdma: release device resources in case of an error
If during pvrdma device initialisation an error occurs,
pvrdma_realize() does not release memory resources, leading
to memory leakage.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20181212175817.815-1-ppandit@redhat.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit cce648613bc802be1b894227f7fd94d88476ea07)
[BR: BSC#1119437]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/rdma/vmw/pvrdma_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index ca5fa8d981..34d8cc4694 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -572,7 +572,7 @@ static int pvrdma_check_ram_shared(Object *obj, void *opaque)
static void pvrdma_realize(PCIDevice *pdev, Error **errp)
{
- int rc;
+ int rc = 0;
PVRDMADev *dev = PVRDMA_DEV(pdev);
Object *memdev_root;
bool ram_shared = false;
@@ -632,6 +632,7 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp)
out:
if (rc) {
+ pvrdma_fini(pdev);
error_append_hint(errp, "Device fail to load\n");
}
}

View File

@ -0,0 +1,46 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:34 +0530
Subject: rdma: check num_sge does not exceed MAX_SGE
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar <saaramar5@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 0e68373cc2b3a063ce067bc0cc3edaf370752890)
[BR: BSC#1119840, modified complete_work() calls to be comp_handler()]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/rdma/rdma_backend.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
index d7a4bbd91f..0b3b98a94c 100644
--- a/hw/rdma/rdma_backend.c
+++ b/hw/rdma/rdma_backend.c
@@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
}
pr_dbg("num_sge=%d\n", num_sge);
- if (!num_sge) {
- pr_dbg("num_sge=0\n");
+ if (!num_sge || num_sge > MAX_SGE) {
+ pr_dbg("invalid num_sge=%d\n", num_sge);
comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
return;
}
@@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
}
pr_dbg("num_sge=%d\n", num_sge);
- if (!num_sge) {
- pr_dbg("num_sge=0\n");
+ if (!num_sge || num_sge > MAX_SGE) {
+ pr_dbg("invalid num_sge=%d\n", num_sge);
comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
return;
}

View File

@ -0,0 +1,41 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:35 +0530
Subject: pvrdma: add uar_read routine
Define skeleton 'uar_read' routine. Avoid NULL dereference.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 2aa86456fb938a11f2b7bd57c8643c213218681c)
[BR: BSC#1119979 CVE-2018-20191]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/rdma/vmw/pvrdma_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 34d8cc4694..c9d9631769 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -455,6 +455,11 @@ static const MemoryRegionOps regs_ops = {
},
};
+static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
+{
+ return 0xffffffff;
+}
+
static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
{
PVRDMADev *dev = opaque;
@@ -496,6 +501,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
}
static const MemoryRegionOps uar_ops = {
+ .read = uar_read,
.write = uar_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.impl = {

View File

@ -0,0 +1,48 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:36 +0530
Subject: pvrdma: check number of pages when creating rings
When creating CQ/QP rings, an object can have up to
PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
to avoid excessive memory allocation or a null dereference.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 2c858ce5da8ae6689c75182b73bc455a291cad41)
[BR: BSC#1119989 CVE-2018-20125]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 4faeb21631..ce2514aacb 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -261,6 +261,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
int rc = -EINVAL;
char ring_name[MAX_RING_NAME_SZ];
+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
+ pr_dbg("invalid nchunks: %d\n", nchunks);
+ return rc;
+ }
+
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
@@ -377,6 +382,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
char ring_name[MAX_RING_NAME_SZ];
uint32_t wqe_sz;
+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
+ return rc;
+ }
+
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {

View File

@ -0,0 +1,79 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:39 +0530
Subject: pvrdma: check return value from pvrdma_idx_ring_has_ routines
pvrdma_idx_ring_has_[data/space] routines also return invalid
index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
return value from these routines to avoid plausible infinite loops.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit f1e2e38ee0136b7710a2caa347049818afd57a1b)
[BR: BSC#1119984 CVE-2018-20216]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
index 01247fc041..e8e5b502f6 100644
--- a/hw/rdma/vmw/pvrdma_dev_ring.c
+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
@@ -73,23 +73,16 @@ out:
void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
{
+ int e;
unsigned int idx = 0, offset;
- /*
- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
- ring->ring_state->cons_head);
- */
-
- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
+ if (e <= 0) {
pr_dbg("No more data in ring\n");
return NULL;
}
offset = idx * ring->elem_sz;
- /*
- pr_dbg("idx=%d\n", idx);
- pr_dbg("offset=%d\n", offset);
- */
return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
}
@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
{
- unsigned int idx, offset, tail;
+ int idx;
+ unsigned int offset, tail;
- /*
- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
- ring->ring_state->cons_head);
- */
-
- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
+ if (idx <= 0) {
pr_dbg("CQ is full\n");
return NULL;
}
idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
- /* TODO: tail == idx */
+ if (idx < 0 || tail != idx) {
+ pr_dbg("invalid idx\n");
+ return NULL;
+ }
offset = idx * ring->elem_sz;
return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);

View File

@ -0,0 +1,103 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:37 +0530
Subject: pvrdma: release ring object in case of an error
create_cq and create_qp routines allocate ring object, but it's
not released in case of an error, leading to memory leakage.
Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 509f57c98e7536905bb4902363d0cba66ce7e089)
[BR: BSC#1119991 CVE-2018-20126]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 39 ++++++++++++++++++++++++++++-----------
1 file changed, 28 insertions(+), 11 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index ce2514aacb..51da4a1c40 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -315,6 +315,14 @@ out:
return rc;
}
+static void destroy_cq_ring(PvrdmaRing *ring)
+{
+ pvrdma_ring_free(ring);
+ /* ring_state was in slot 1, not 0 so need to jump back */
+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
+ g_free(ring);
+}
+
static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
@@ -338,6 +346,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
cmd->cqe, &resp->cq_handle, ring);
+ if (resp->hdr.err) {
+ destroy_cq_ring(ring);
+ }
resp->cqe = cmd->cqe;
out:
@@ -361,10 +372,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
}
ring = (PvrdmaRing *)cq->opaque;
- pvrdma_ring_free(ring);
- /* ring_state was in slot 1, not 0 so need to jump back */
- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
- g_free(ring);
+ destroy_cq_ring(ring);
rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
@@ -462,6 +470,17 @@ out:
return rc;
}
+static void destroy_qp_rings(PvrdmaRing *ring)
+{
+ pr_dbg("sring=%p\n", &ring[0]);
+ pvrdma_ring_free(&ring[0]);
+ pr_dbg("rring=%p\n", &ring[1]);
+ pvrdma_ring_free(&ring[1]);
+
+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
+ g_free(ring);
+}
+
static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
union pvrdma_cmd_resp *rsp)
{
@@ -492,6 +511,10 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
cmd->max_send_sge, cmd->send_cq_handle,
cmd->max_recv_wr, cmd->max_recv_sge,
cmd->recv_cq_handle, rings, &resp->qpn);
+ if (resp->hdr.err) {
+ destroy_qp_rings(rings);
+ return resp->hdr.err;
+ }
resp->max_send_wr = cmd->max_send_wr;
resp->max_recv_wr = cmd->max_recv_wr;
@@ -566,13 +589,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
ring = (PvrdmaRing *)qp->opaque;
- pr_dbg("sring=%p\n", &ring[0]);
- pvrdma_ring_free(&ring[0]);
- pr_dbg("rring=%p\n", &ring[1]);
- pvrdma_ring_free(&ring[1]);
-
- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
- g_free(ring);
+ destroy_qp_rings(ring);
return 0;
}

View File

@ -0,0 +1,637 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 9 Jan 2019 11:10:07 -0700
Subject: block: Fix hangs in synchronous APIs with iothreads
In the block layer, synchronous APIs are often implemented by creating a
coroutine that calls the asynchronous coroutine-based implementation and
then waiting for completion with BDRV_POLL_WHILE().
For this to work with iothreads (more specifically, when the synchronous
API is called in a thread that is not the home thread of the block
device, so that the coroutine will run in a different thread), we must
make sure to call aio_wait_kick() at the end of the operation. Many
places are missing this, so that BDRV_POLL_WHILE() keeps hanging even if
the condition has long become false.
Note that bdrv_dec_in_flight() involves an aio_wait_kick() call. This
corresponds to the BDRV_POLL_WHILE() in the drain functions, but it is
generally not enough for most other operations because they haven't set
the return value in the coroutine entry stub yet. To avoid race
conditions there, we need to kick after setting the return value.
The race window is small enough that the problem doesn't usually surface
in the common path. However, it does surface and causes easily
reproducible hangs if the operation can return early before even calling
bdrv_inc/dec_in_flight, which many of them do (trivial error or no-op
success paths).
The bug in bdrv_truncate(), bdrv_check() and bdrv_invalidate_cache() is
slightly different: These functions even neglected to schedule the
coroutine in the home thread of the node. This avoids the hang, but is
obviously wrong, too. Fix those to schedule the coroutine in the right
AioContext in addition to adding aio_wait_kick() calls.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block.c | 6 +-
block/block-backend.c | 5 +
block/io.c | 8 +-
block/nbd-client.c | 1 +
block/nvme.c | 1 +
block/qcow2.c | 1 +
block/qed.c | 1 +
tests/Makefile.include | 2 +
tests/test-block-iothread.c | 372 ++++++++++++++++++++++++++++++++++++
9 files changed, 394 insertions(+), 3 deletions(-)
diff --git a/block.c b/block.c
index 811239ca23..79d48d7d78 100644
--- a/block.c
+++ b/block.c
@@ -3736,6 +3736,7 @@ static void bdrv_check_co_entry(void *opaque)
{
CheckCo *cco = opaque;
cco->ret = bdrv_co_check(cco->bs, cco->res, cco->fix);
+ aio_wait_kick();
}
int bdrv_check(BlockDriverState *bs,
@@ -3754,7 +3755,7 @@ int bdrv_check(BlockDriverState *bs,
bdrv_check_co_entry(&cco);
} else {
co = qemu_coroutine_create(bdrv_check_co_entry, &cco);
- qemu_coroutine_enter(co);
+ bdrv_coroutine_enter(bs, co);
BDRV_POLL_WHILE(bs, cco.ret == -EINPROGRESS);
}
@@ -4571,6 +4572,7 @@ static void coroutine_fn bdrv_invalidate_cache_co_entry(void *opaque)
InvalidateCacheCo *ico = opaque;
bdrv_co_invalidate_cache(ico->bs, ico->errp);
ico->done = true;
+ aio_wait_kick();
}
void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
@@ -4587,7 +4589,7 @@ void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
bdrv_invalidate_cache_co_entry(&ico);
} else {
co = qemu_coroutine_create(bdrv_invalidate_cache_co_entry, &ico);
- qemu_coroutine_enter(co);
+ bdrv_coroutine_enter(bs, co);
BDRV_POLL_WHILE(bs, !ico.done);
}
}
diff --git a/block/block-backend.c b/block/block-backend.c
index 1d41622942..35e3edb861 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -1223,6 +1223,7 @@ static void blk_read_entry(void *opaque)
rwco->ret = blk_co_preadv(rwco->blk, rwco->offset, qiov->size,
qiov, rwco->flags);
+ aio_wait_kick();
}
static void blk_write_entry(void *opaque)
@@ -1232,6 +1233,7 @@ static void blk_write_entry(void *opaque)
rwco->ret = blk_co_pwritev(rwco->blk, rwco->offset, qiov->size,
qiov, rwco->flags);
+ aio_wait_kick();
}
static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
@@ -1543,6 +1545,7 @@ static void blk_ioctl_entry(void *opaque)
rwco->ret = blk_co_ioctl(rwco->blk, rwco->offset,
qiov->iov[0].iov_base);
+ aio_wait_kick();
}
int blk_ioctl(BlockBackend *blk, unsigned long int req, void *buf)
@@ -1589,6 +1592,7 @@ static void blk_flush_entry(void *opaque)
{
BlkRwCo *rwco = opaque;
rwco->ret = blk_co_flush(rwco->blk);
+ aio_wait_kick();
}
int blk_flush(BlockBackend *blk)
@@ -2028,6 +2032,7 @@ static void blk_pdiscard_entry(void *opaque)
QEMUIOVector *qiov = rwco->iobuf;
rwco->ret = blk_co_pdiscard(rwco->blk, rwco->offset, qiov->size);
+ aio_wait_kick();
}
int blk_pdiscard(BlockBackend *blk, int64_t offset, int bytes)
diff --git a/block/io.c b/block/io.c
index bd9d688f8b..213ca03d8d 100644
--- a/block/io.c
+++ b/block/io.c
@@ -806,6 +806,7 @@ static void coroutine_fn bdrv_rw_co_entry(void *opaque)
rwco->qiov->size, rwco->qiov,
rwco->flags);
}
+ aio_wait_kick();
}
/*
@@ -2279,6 +2280,7 @@ static void coroutine_fn bdrv_block_status_above_co_entry(void *opaque)
data->offset, data->bytes,
data->pnum, data->map, data->file);
data->done = true;
+ aio_wait_kick();
}
/*
@@ -2438,6 +2440,7 @@ static void coroutine_fn bdrv_co_rw_vmstate_entry(void *opaque)
{
BdrvVmstateCo *co = opaque;
co->ret = bdrv_co_rw_vmstate(co->bs, co->qiov, co->pos, co->is_read);
+ aio_wait_kick();
}
static inline int
@@ -2559,6 +2562,7 @@ static void coroutine_fn bdrv_flush_co_entry(void *opaque)
FlushCo *rwco = opaque;
rwco->ret = bdrv_co_flush(rwco->bs);
+ aio_wait_kick();
}
int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
@@ -2704,6 +2708,7 @@ static void coroutine_fn bdrv_pdiscard_co_entry(void *opaque)
DiscardCo *rwco = opaque;
rwco->ret = bdrv_co_pdiscard(rwco->child, rwco->offset, rwco->bytes);
+ aio_wait_kick();
}
int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes)
@@ -3217,6 +3222,7 @@ static void coroutine_fn bdrv_truncate_co_entry(void *opaque)
TruncateCo *tco = opaque;
tco->ret = bdrv_co_truncate(tco->child, tco->offset, tco->prealloc,
tco->errp);
+ aio_wait_kick();
}
int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc,
@@ -3236,7 +3242,7 @@ int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc,
bdrv_truncate_co_entry(&tco);
} else {
co = qemu_coroutine_create(bdrv_truncate_co_entry, &tco);
- qemu_coroutine_enter(co);
+ bdrv_coroutine_enter(child->bs, co);
BDRV_POLL_WHILE(child->bs, tco.ret == NOT_DONE);
}
diff --git a/block/nbd-client.c b/block/nbd-client.c
index fc5b7eda8e..a6b5605c0b 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -116,6 +116,7 @@ static coroutine_fn void nbd_read_reply_entry(void *opaque)
s->quit = true;
nbd_recv_coroutines_wake_all(s);
s->read_reply_co = NULL;
+ aio_wait_kick();
}
static int nbd_co_send_request(BlockDriverState *bs,
diff --git a/block/nvme.c b/block/nvme.c
index 29294038fc..36779fdd3d 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -390,6 +390,7 @@ static void nvme_cmd_sync_cb(void *opaque, int ret)
{
int *pret = opaque;
*pret = ret;
+ aio_wait_kick();
}
static int nvme_cmd_sync(BlockDriverState *bs, NVMeQueuePair *q,
diff --git a/block/qcow2.c b/block/qcow2.c
index 991d6ac91b..9334414513 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1665,6 +1665,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
/* From bdrv_co_create. */
qcow2_open_entry(&qoc);
} else {
+ assert(qemu_get_current_aio_context() == qemu_get_aio_context());
qemu_coroutine_enter(qemu_coroutine_create(qcow2_open_entry, &qoc));
BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS);
}
diff --git a/block/qed.c b/block/qed.c
index 9377c0b7ad..1280870024 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -559,6 +559,7 @@ static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags,
if (qemu_in_coroutine()) {
bdrv_qed_open_entry(&qoc);
} else {
+ assert(qemu_get_current_aio_context() == qemu_get_aio_context());
qemu_coroutine_enter(qemu_coroutine_create(bdrv_qed_open_entry, &qoc));
BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS);
}
diff --git a/tests/Makefile.include b/tests/Makefile.include
index d6f67eed85..5682e41384 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -70,6 +70,7 @@ check-unit-y += tests/test-bdrv-drain$(EXESUF)
check-unit-y += tests/test-blockjob$(EXESUF)
check-unit-y += tests/test-blockjob-txn$(EXESUF)
check-unit-y += tests/test-block-backend$(EXESUF)
+check-unit-y += tests/test-block-iothread$(EXESUF)
check-unit-y += tests/test-image-locking$(EXESUF)
check-unit-y += tests/test-x86-cpuid$(EXESUF)
# all code tested by test-x86-cpuid is inside topology.h
@@ -541,6 +542,7 @@ tests/test-bdrv-drain$(EXESUF): tests/test-bdrv-drain.o $(test-block-obj-y) $(te
tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) $(test-util-obj-y)
tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o $(test-block-obj-y) $(test-util-obj-y)
tests/test-block-backend$(EXESUF): tests/test-block-backend.o $(test-block-obj-y) $(test-util-obj-y)
+tests/test-block-iothread$(EXESUF): tests/test-block-iothread.o $(test-block-obj-y) $(test-util-obj-y)
tests/test-image-locking$(EXESUF): tests/test-image-locking.o $(test-block-obj-y) $(test-util-obj-y)
tests/test-thread-pool$(EXESUF): tests/test-thread-pool.o $(test-block-obj-y)
tests/test-iov$(EXESUF): tests/test-iov.o $(test-util-obj-y)
diff --git a/tests/test-block-iothread.c b/tests/test-block-iothread.c
new file mode 100644
index 0000000000..97ac0b159d
--- /dev/null
+++ b/tests/test-block-iothread.c
@@ -0,0 +1,372 @@
+/*
+ * Block tests for iothreads
+ *
+ * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "block/block.h"
+#include "block/blockjob_int.h"
+#include "sysemu/block-backend.h"
+#include "qapi/error.h"
+#include "iothread.h"
+
+static int coroutine_fn bdrv_test_co_prwv(BlockDriverState *bs,
+ uint64_t offset, uint64_t bytes,
+ QEMUIOVector *qiov, int flags)
+{
+ return 0;
+}
+
+static int coroutine_fn bdrv_test_co_pdiscard(BlockDriverState *bs,
+ int64_t offset, int bytes)
+{
+ return 0;
+}
+
+static int coroutine_fn
+bdrv_test_co_truncate(BlockDriverState *bs, int64_t offset,
+ PreallocMode prealloc, Error **errp)
+{
+ return 0;
+}
+
+static int coroutine_fn bdrv_test_co_block_status(BlockDriverState *bs,
+ bool want_zero,
+ int64_t offset, int64_t count,
+ int64_t *pnum, int64_t *map,
+ BlockDriverState **file)
+{
+ *pnum = count;
+ return 0;
+}
+
+static BlockDriver bdrv_test = {
+ .format_name = "test",
+ .instance_size = 1,
+
+ .bdrv_co_preadv = bdrv_test_co_prwv,
+ .bdrv_co_pwritev = bdrv_test_co_prwv,
+ .bdrv_co_pdiscard = bdrv_test_co_pdiscard,
+ .bdrv_co_truncate = bdrv_test_co_truncate,
+ .bdrv_co_block_status = bdrv_test_co_block_status,
+};
+
+static void test_sync_op_pread(BdrvChild *c)
+{
+ uint8_t buf[512];
+ int ret;
+
+ /* Success */
+ ret = bdrv_pread(c, 0, buf, sizeof(buf));
+ g_assert_cmpint(ret, ==, 512);
+
+ /* Early error: Negative offset */
+ ret = bdrv_pread(c, -2, buf, sizeof(buf));
+ g_assert_cmpint(ret, ==, -EIO);
+}
+
+static void test_sync_op_pwrite(BdrvChild *c)
+{
+ uint8_t buf[512];
+ int ret;
+
+ /* Success */
+ ret = bdrv_pwrite(c, 0, buf, sizeof(buf));
+ g_assert_cmpint(ret, ==, 512);
+
+ /* Early error: Negative offset */
+ ret = bdrv_pwrite(c, -2, buf, sizeof(buf));
+ g_assert_cmpint(ret, ==, -EIO);
+}
+
+static void test_sync_op_blk_pread(BlockBackend *blk)
+{
+ uint8_t buf[512];
+ int ret;
+
+ /* Success */
+ ret = blk_pread(blk, 0, buf, sizeof(buf));
+ g_assert_cmpint(ret, ==, 512);
+
+ /* Early error: Negative offset */
+ ret = blk_pread(blk, -2, buf, sizeof(buf));
+ g_assert_cmpint(ret, ==, -EIO);
+}
+
+static void test_sync_op_blk_pwrite(BlockBackend *blk)
+{
+ uint8_t buf[512];
+ int ret;
+
+ /* Success */
+ ret = blk_pwrite(blk, 0, buf, sizeof(buf), 0);
+ g_assert_cmpint(ret, ==, 512);
+
+ /* Early error: Negative offset */
+ ret = blk_pwrite(blk, -2, buf, sizeof(buf), 0);
+ g_assert_cmpint(ret, ==, -EIO);
+}
+
+static void test_sync_op_load_vmstate(BdrvChild *c)
+{
+ uint8_t buf[512];
+ int ret;
+
+ /* Error: Driver does not support snapshots */
+ ret = bdrv_load_vmstate(c->bs, buf, 0, sizeof(buf));
+ g_assert_cmpint(ret, ==, -ENOTSUP);
+}
+
+static void test_sync_op_save_vmstate(BdrvChild *c)
+{
+ uint8_t buf[512];
+ int ret;
+
+ /* Error: Driver does not support snapshots */
+ ret = bdrv_save_vmstate(c->bs, buf, 0, sizeof(buf));
+ g_assert_cmpint(ret, ==, -ENOTSUP);
+}
+
+static void test_sync_op_pdiscard(BdrvChild *c)
+{
+ int ret;
+
+ /* Normal success path */
+ c->bs->open_flags |= BDRV_O_UNMAP;
+ ret = bdrv_pdiscard(c, 0, 512);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early success: UNMAP not supported */
+ c->bs->open_flags &= ~BDRV_O_UNMAP;
+ ret = bdrv_pdiscard(c, 0, 512);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early error: Negative offset */
+ ret = bdrv_pdiscard(c, -2, 512);
+ g_assert_cmpint(ret, ==, -EIO);
+}
+
+static void test_sync_op_blk_pdiscard(BlockBackend *blk)
+{
+ int ret;
+
+ /* Early success: UNMAP not supported */
+ ret = blk_pdiscard(blk, 0, 512);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early error: Negative offset */
+ ret = blk_pdiscard(blk, -2, 512);
+ g_assert_cmpint(ret, ==, -EIO);
+}
+
+static void test_sync_op_truncate(BdrvChild *c)
+{
+ int ret;
+
+ /* Normal success path */
+ ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early error: Negative offset */
+ ret = bdrv_truncate(c, -2, PREALLOC_MODE_OFF, NULL);
+ g_assert_cmpint(ret, ==, -EINVAL);
+
+ /* Error: Read-only image */
+ c->bs->read_only = true;
+ c->bs->open_flags &= ~BDRV_O_RDWR;
+
+ ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL);
+ g_assert_cmpint(ret, ==, -EACCES);
+
+ c->bs->read_only = false;
+ c->bs->open_flags |= BDRV_O_RDWR;
+}
+
+static void test_sync_op_block_status(BdrvChild *c)
+{
+ int ret;
+ int64_t n;
+
+ /* Normal success path */
+ ret = bdrv_is_allocated(c->bs, 0, 65536, &n);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early success: No driver support */
+ bdrv_test.bdrv_co_block_status = NULL;
+ ret = bdrv_is_allocated(c->bs, 0, 65536, &n);
+ g_assert_cmpint(ret, ==, 1);
+
+ /* Early success: bytes = 0 */
+ ret = bdrv_is_allocated(c->bs, 0, 0, &n);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early success: Offset > image size*/
+ ret = bdrv_is_allocated(c->bs, 0x1000000, 0x1000000, &n);
+ g_assert_cmpint(ret, ==, 0);
+}
+
+static void test_sync_op_flush(BdrvChild *c)
+{
+ int ret;
+
+ /* Normal success path */
+ ret = bdrv_flush(c->bs);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early success: Read-only image */
+ c->bs->read_only = true;
+ c->bs->open_flags &= ~BDRV_O_RDWR;
+
+ ret = bdrv_flush(c->bs);
+ g_assert_cmpint(ret, ==, 0);
+
+ c->bs->read_only = false;
+ c->bs->open_flags |= BDRV_O_RDWR;
+}
+
+static void test_sync_op_blk_flush(BlockBackend *blk)
+{
+ BlockDriverState *bs = blk_bs(blk);
+ int ret;
+
+ /* Normal success path */
+ ret = blk_flush(blk);
+ g_assert_cmpint(ret, ==, 0);
+
+ /* Early success: Read-only image */
+ bs->read_only = true;
+ bs->open_flags &= ~BDRV_O_RDWR;
+
+ ret = blk_flush(blk);
+ g_assert_cmpint(ret, ==, 0);
+
+ bs->read_only = false;
+ bs->open_flags |= BDRV_O_RDWR;
+}
+
+static void test_sync_op_check(BdrvChild *c)
+{
+ BdrvCheckResult result;
+ int ret;
+
+ /* Error: Driver does not implement check */
+ ret = bdrv_check(c->bs, &result, 0);
+ g_assert_cmpint(ret, ==, -ENOTSUP);
+}
+
+static void test_sync_op_invalidate_cache(BdrvChild *c)
+{
+ /* Early success: Image is not inactive */
+ bdrv_invalidate_cache(c->bs, NULL);
+}
+
+
+typedef struct SyncOpTest {
+ const char *name;
+ void (*fn)(BdrvChild *c);
+ void (*blkfn)(BlockBackend *blk);
+} SyncOpTest;
+
+const SyncOpTest sync_op_tests[] = {
+ {
+ .name = "/sync-op/pread",
+ .fn = test_sync_op_pread,
+ .blkfn = test_sync_op_blk_pread,
+ }, {
+ .name = "/sync-op/pwrite",
+ .fn = test_sync_op_pwrite,
+ .blkfn = test_sync_op_blk_pwrite,
+ }, {
+ .name = "/sync-op/load_vmstate",
+ .fn = test_sync_op_load_vmstate,
+ }, {
+ .name = "/sync-op/save_vmstate",
+ .fn = test_sync_op_save_vmstate,
+ }, {
+ .name = "/sync-op/pdiscard",
+ .fn = test_sync_op_pdiscard,
+ .blkfn = test_sync_op_blk_pdiscard,
+ }, {
+ .name = "/sync-op/truncate",
+ .fn = test_sync_op_truncate,
+ }, {
+ .name = "/sync-op/block_status",
+ .fn = test_sync_op_block_status,
+ }, {
+ .name = "/sync-op/flush",
+ .fn = test_sync_op_flush,
+ .blkfn = test_sync_op_blk_flush,
+ }, {
+ .name = "/sync-op/check",
+ .fn = test_sync_op_check,
+ }, {
+ .name = "/sync-op/invalidate_cache",
+ .fn = test_sync_op_invalidate_cache,
+ },
+};
+
+/* Test synchronous operations that run in a different iothread, so we have to
+ * poll for the coroutine there to return. */
+static void test_sync_op(const void *opaque)
+{
+ const SyncOpTest *t = opaque;
+ IOThread *iothread = iothread_new();
+ AioContext *ctx = iothread_get_aio_context(iothread);
+ BlockBackend *blk;
+ BlockDriverState *bs;
+ BdrvChild *c;
+
+ blk = blk_new(BLK_PERM_ALL, BLK_PERM_ALL);
+ bs = bdrv_new_open_driver(&bdrv_test, "base", BDRV_O_RDWR, &error_abort);
+ bs->total_sectors = 65536 / BDRV_SECTOR_SIZE;
+ blk_insert_bs(blk, bs, &error_abort);
+ c = QLIST_FIRST(&bs->parents);
+
+ blk_set_aio_context(blk, ctx);
+ aio_context_acquire(ctx);
+ t->fn(c);
+ if (t->blkfn) {
+ t->blkfn(blk);
+ }
+ aio_context_release(ctx);
+ blk_set_aio_context(blk, qemu_get_aio_context());
+
+ bdrv_unref(bs);
+ blk_unref(blk);
+}
+
+int main(int argc, char **argv)
+{
+ int i;
+
+ bdrv_init();
+ qemu_init_main_loop(&error_abort);
+
+ g_test_init(&argc, &argv, NULL);
+
+ for (i = 0; i < ARRAY_SIZE(sync_op_tests); i++) {
+ const SyncOpTest *t = &sync_op_tests[i];
+ g_test_add_data_func(t->name, t, test_sync_op);
+ }
+
+ return g_test_run();
+}

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Thu Jan 10 18:03:30 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
* Patches added:
0041-vfio-ap-flag-as-compatible-with-bal.patch
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
0043-pcie-set-link-state-inactive-active.patch
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
0045-hw-usb-fix-mistaken-de-initializati.patch
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
0047-pvrdma-release-device-resources-in-.patch
0048-rdma-check-num_sge-does-not-exceed-.patch
0049-pvrdma-add-uar_read-routine.patch
0050-pvrdma-check-number-of-pages-when-c.patch
0051-pvrdma-check-return-value-from-pvrd.patch
0052-pvrdma-release-ring-object-in-case-.patch
0053-block-Fix-hangs-in-synchronous-APIs.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de

View File

@ -72,6 +72,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch
Patch0038: 0038-tests-block-io-test-130-needs-some-.patch Patch0038: 0038-tests-block-io-test-130-needs-some-.patch
Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch
Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch
Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch
Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
Patch0043: 0043-pcie-set-link-state-inactive-active.patch
Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch
Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch
Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
Patch0047: 0047-pvrdma-release-device-resources-in-.patch
Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch
Patch0049: 0049-pvrdma-add-uar_read-routine.patch
Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch
Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch
Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch
Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch
# Please do not add QEMU patches manually here. # Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue. # Run update_git.sh to regenerate this queue.
ExcludeArch: s390 ExcludeArch: s390
@ -143,6 +156,19 @@ syscall layer occurs on the native hardware and operating system.
%patch0038 -p1 %patch0038 -p1
%patch0039 -p1 %patch0039 -p1
%patch0040 -p1 %patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%build %build
./configure \ ./configure \

View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
- include post v3.1.0 patches marked for next stable release:
0041-vfio-ap-flag-as-compatible-with-bal.patch
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
0043-pcie-set-link-state-inactive-active.patch
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
0045-hw-usb-fix-mistaken-de-initializati.patch
- Address various security/stability issues
* Fix host access vulnerability in usb-mtp infrastructure
(CVE-2018-16872 bsc#1119493)
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437)
0047-pvrdma-release-device-resources-in-.patch
* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840)
0048-rdma-check-num_sge-does-not-exceed-.patch
* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191
bsc#1119979)
0049-pvrdma-add-uar_read-routine.patch
* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989)
0050-pvrdma-check-number-of-pages-when-c.patch
* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984)
0051-pvrdma-check-return-value-from-pvrd.patch
* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991)
0052-pvrdma-release-ring-object-in-case-.patch
- one more post v3.1.0 patches marked for next stable release:
0053-block-Fix-hangs-in-synchronous-APIs.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de

View File

@ -177,6 +177,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch
Patch0038: 0038-tests-block-io-test-130-needs-some-.patch Patch0038: 0038-tests-block-io-test-130-needs-some-.patch
Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch
Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch
Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch
Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
Patch0043: 0043-pcie-set-link-state-inactive-active.patch
Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch
Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch
Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
Patch0047: 0047-pvrdma-release-device-resources-in-.patch
Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch
Patch0049: 0049-pvrdma-add-uar_read-routine.patch
Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch
Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch
Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch
Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch
# Please do not add QEMU patches manually here. # Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue. # Run update_git.sh to regenerate this queue.
@ -945,6 +958,19 @@ This package provides a service file for starting and stopping KSM.
%patch0038 -p1 %patch0038 -p1
%patch0039 -p1 %patch0039 -p1
%patch0040 -p1 %patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
pushd roms/seabios pushd roms/seabios
%patch1100 -p1 %patch1100 -p1

View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
- include post v3.1.0 patches marked for next stable release:
0041-vfio-ap-flag-as-compatible-with-bal.patch
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
0043-pcie-set-link-state-inactive-active.patch
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
0045-hw-usb-fix-mistaken-de-initializati.patch
- Address various security/stability issues
* Fix host access vulnerability in usb-mtp infrastructure
(CVE-2018-16872 bsc#1119493)
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437)
0047-pvrdma-release-device-resources-in-.patch
* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840)
0048-rdma-check-num_sge-does-not-exceed-.patch
* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191
bsc#1119979)
0049-pvrdma-add-uar_read-routine.patch
* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989)
0050-pvrdma-check-number-of-pages-when-c.patch
* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984)
0051-pvrdma-check-return-value-from-pvrd.patch
* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991)
0052-pvrdma-release-ring-object-in-case-.patch
- one more post v3.1.0 patches marked for next stable release:
0053-block-Fix-hangs-in-synchronous-APIs.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de

View File

@ -177,6 +177,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch
Patch0038: 0038-tests-block-io-test-130-needs-some-.patch Patch0038: 0038-tests-block-io-test-130-needs-some-.patch
Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch
Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch
Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch
Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
Patch0043: 0043-pcie-set-link-state-inactive-active.patch
Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch
Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch
Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
Patch0047: 0047-pvrdma-release-device-resources-in-.patch
Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch
Patch0049: 0049-pvrdma-add-uar_read-routine.patch
Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch
Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch
Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch
Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch
# Please do not add QEMU patches manually here. # Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue. # Run update_git.sh to regenerate this queue.
@ -945,6 +958,19 @@ This package provides a service file for starting and stopping KSM.
%patch0038 -p1 %patch0038 -p1
%patch0039 -p1 %patch0039 -p1
%patch0040 -p1 %patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
pushd roms/seabios pushd roms/seabios
%patch1100 -p1 %patch1100 -p1

View File

@ -76,15 +76,14 @@ if [ "$OLD_SOURCE_VERSION_AND_EXTRA" = "" ]; then
echo "Warning: No tarball found" echo "Warning: No tarball found"
fi fi
if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then
OLD_COMMIT_ISH=${BASH_REMATCH[3]}
else
#Assume release (or release candidate) tarball with equivalent tag:
OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \
--abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA)
fi
if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then
if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then
OLD_COMMIT_ISH=${BASH_REMATCH[3]}
else
#Assume release (or release candidate) tarball with equivalent tag:
OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \
--abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA)
fi
if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then
echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG" echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG"
QEMU_TARBALL_SIG= QEMU_TARBALL_SIG=